MillnertCA Root CA

The MillnertCA Root CA

To connect to resources under this domain, millnert.se., using SSL, you can choose to trust the MillnertCA Root CA (M-CA).

tl;dr -- The M-CA can be installed as a "trusted" root certificate on your computer, or in your browser, by offloading the trust resolution to PGP's web of trust. Martin Millnert uses his PGP key with ID 0x59AF0C4C for this.

Establishing a high-degree of trust of SSL certificates

First, we have ordinary typical PGP properties. (You may skip down to the CA part if you are familiar with PGP.)

Martin meets with Bob in person at some point, presenting to him his PGP key's fingerprint ( 48B3 CA32 4C83 4604 AE36 F92C A82B 68D7 59AF 0C4C ).
Bob, later at his computer, is able to verify Martin's (public) PGP key (which Bob can have gained a copy of from either, 1) a PGP keyserver, 2) the sneakernet, 3) via email from Martin, or 4) other.). Bob assigns some degree of trust to the key.
At this point, Bob (and Martin) either both have large enough webs of trust that they can establish trust between themselves without actually exchanging signed keys, or, they may choose to actually perform a key signing in order to establish a sufficient degree of trust between themselves. For the purposes of trusting the signature of the PEM file of the M-CA root certificate, it may be sufficient for Bob to match the fingerprint he has received from Martin personally, with the identical fingerprint on Martin's (public) PGP key he gained access to.

Now that the basic ordinary PGP plumbing has been performed, we can continue:

Bob downloads the M-CA PEM file from this web page, together with its PGP signature file.
Bob then verifies the signature and presumably sees a matching signature. Then, based on the trust resolved through the PGP model, Bob can now be (variably) sure that the M-CA PEM file actually was signed by Martin and he can proceed to trust X.509 certificates signed by this root certificate.
Moving on, Bob can now install this PEM file into his browser and/or operating system, and will thereafter be able to trust Martin's resources on the Internet in general and on the web in particular, based upon a direct trust relationship between him and Martin (typically unheard of in standard web security). (Note on X.509's deficiences below.)

A note on X.509's deficiencies will be forthcoming here. Meanwhile, please do realize it leaves a lot to wish for...

List of files:

0x59AF0C4C.pub.asc, my public GPG key which I've used to sign these files with.
MillnertRootCACert.pem (info), the Millnert Root CA pem file (GPG signature, SHA512 sum)
millnert.se.pem (info), the cert issued for "millnert.se." (GPG signature, SHA512 sum)
www.millnert.se.pem (info), the cert issued for "www.millnert.se." (GPG signature, SHA512 sum)
martin.millnert.se.pem (info), the cert issued for "martin.millnert.se." (GPG signature, SHA512 sum)
images.millnert.se.pem (info), the cert issued for "images.millnert.se."(GPG signature, SHA512 sum)
gallery.millnert.se.pem (info), the cert issued for "gallery.millnert.se." (GPG signature, SHA512 sum)
blog.martin.millnert.se.pem (info), the cert issued for "blog.martin.millnert.se." (GPG signature, SHA512 sum)

Last updated: 2011-11-18